Splunk CLI
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Contents
Splunk CLI
The Splunk Command Line Interface is commonly referred to as the "CLI". Below is a quick summary of some CLI commands, and important parameters that you can use. For the most detailed and up-to-date description of CLI commands/parameters and their operation, refer to Splunk's command line help by typing the following from the command line while Splunk is running:
./splunk help
CLI commands
Syntax
Splunk CLI commands take the form:
./splunk command object [- parameter value]...
Commands perform operations on objects (such as userdata, globaldata, server, ...etc), and certain parameters can be optionally applied.
| ~ Command | ~ Operation | ~ Example | |
| add | Add data inputs, user accounts, saved searches, and bundles. | ./splunk add tail var/log | |
| anonymize | Anonymize data samples. | ./splunk anonymize file -source '/home/myname/logs/*.log'
| |
| clean | Erase (clean) different types of user-generated data off of the server. | ./splunk clean globaldata
| |
| display | Display bundles, or distributed features. | ./splunk display local-index
| |
| disable | Disable bundles and distributed search features. | ./splunk disable listen
| |
| edit | Edit data inputs, user accounts, saved searches, and bundles. | ./splunk edit saved-search apache_errors -terms "404 OR 403" | |
| enable | Enable bundles and distributed search features. | ./splunk enable listen 9997
| |
| export | Export data from the server to a specified directory. | ./splunk export globaldata -auth gwb:d3cidr
| |
| find | Find logs for Splunk to index. | ./splunk find logs "../etc;../var"
| |
| help | Displays the default help page for the command line help. | ./splunk help
| |
| import | Import data from a specified directory to the server. | ./splunk import userdata -dir /tmp/export.dat -subset eventtypetags,hosttags
| |
| install | Install bundles to the Splunk server. | ./splunk install bundle /root/downloads/apache.bundle
| |
| list | List status of various server configuration attributes. | ./splunk list tail
| |
| login, logout | Authenticate a session to a Splunk server with an Enterprise license (login). Or, end an authenticated session (logout). | ||
| recover | Recover files in the event of a crash. | ./splunk recover
| |
| refresh | Updates the deployment server with current deployment client server information. | ./splunk refresh deploy-client
| |
| reload | Reloads the deployment clients with current deployment server data. | ./splunk reload deploy-server -class wwwclass
| |
| remove | Remove data inputs, user accounts, saved searches, and bundles. | ./splunk remove bundle myBundle
| |
| resurrect | Makes data available that has previously been archived. | ./splunk resurrect /tmp/myarchive test 01/01/2000:00:00:00 01/01/2001:00:00:00
| |
| search | Execute a search. See the search reference in the user guide for details on how to execute a search. | top" | |
| set | Set current properties of various server attributes. | ./splunk set deploy-poll 10.1.1.5:8089
| |
| show | Show server attributes. | ./splunk show license
| |
| spool | Read a file or directory only one time. Or to read archived files. | ./splunk spool /tmp/logs.tgz
| |
| start,stop,restart | Start, stop, or restart your Splunk server. | ./splunk start
| |
| status | Show the status of Splunk's processes. | ./splunk status splunkd
| |
| test,train | Improve Splunk's handling of dates, source types, and fields. | ./splunk train dates onoes.txt
| |
| unresurrect | Used to delete directories that have been resurrected. | ./splunk unresurrect foobar 07/01/2004:00:00:00 08/01/2004:00:00:00
| |
| upgrade | Upgrade bundles. | ./splunk upgrade bundle leprechaun.bundle
| |
| validate | Check the correctness of a Splunk index. | ./splunk validate index main
| |
| version | Display Splunk's version and build number. | ./splunk version
|
auth and uri parameters
The parameters auth and uri can be used with any command. uri is used to send commands to another Splunk server, and auth is used for commands that require authentication with a Splunk server.
auth
auth can be added to any command to authenticate with the server if authentication is needed to execute the command.
Note: auth must be the last parameter specified.
./splunk command object [-parameter value]... -auth username:password
uri
uri tells Splunk to send a command to another Splunk server.
./splunk command object [-parameter value]... -uri specified server (= [http|https]://name_of_server:port)
Note for Mac users
Mac OS X requires you to have superuser level access to run any command that accesses system files or directories. You must either run the command using sudo or "su -" for a new shell as root. The recommended method is to use sudo. (By default the user "root" is not enabled but any administrator user can use sudo.)
Enabling Splunk to start on system start
You enable Splunk to start at system start up by using the command ./splunk enable boot-start. With Mac OS, you must have root level permissions (or use sudo) to achieve the desired effect.
Note: To use sudo, you must have admin level access.
To enable Splunk to start at system start up on Mac OS:
- Make sure you have root level permissions and run:
-
./splunk enable boot-start
-
or:
- Run the command using sudo:
-
sudo ./splunk enable boot-start
-
Splunk creates a script and configuration file in the /System/Library/StartupItems directory, which is run on system start. This will also stop Splunk on normal system shutdown.
This documentation applies to the following versions of Splunk: 3.0 , 3.0.1 , 3.0.2 , 3.1 , 3.1.1 , 3.1.2 , 3.1.3 , 3.1.4 View the Article History for its revisions.